Windows DOS-to-NT Flaws Exploited to Achieve Unprivileged Rootkit-Like Capabilities


Summary:
Security researcher at SafeBreach Or Yair uncovered a technique that exploits vulnerabilities in the DOS-to-NT path conversion process, to achieve rootkit-like capabilities on Windows systems. When a user executes a function with a path argument in Windows, the DOS path of the file or folder is converted to an NT path. However, a known issue arises during this conversion process where the function removes trailing dots from any path element and trailing spaces from the last path element. Or Yair exploited this known issue and discovered two vulnerabilities: CVE-2023-36396 and CVE-2023-32054. CVE-2023-36396 is a Windows Compressed Folder Remote Code Execution Vulnerability and CVE-2023-32054 is a Volume Shadow Copy Elevation of Privilege Vulnerability which provides an attacker with rootkit-like capabilities without needing privileged access.

“I discovered how a malicious actor—without admin privileges—could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more,” wrote Or Yair. All issues were reported to the Microsoft Security Response Center (MSRC) in 2023. Microsoft acknowledged these issues and took the following action:

  • Remote Code Execution (CVE-2023-36396, CVSS: 7.8): The vulnerability was confirmed, reproduced, and fixed by Microsoft. It was assessed as an RCE with an “Important” severity.
  • Elevation of Privilege (Write) (CVE-2023-32054, CVSS: 7.3): The vulnerability was confirmed, reproduced, and fixed by Microsoft. It was assessed as a privilege elevation (PE) with an “Important” severity.
  • Elevation of Privilege (Deletion): The vulnerability was reproduced and confirmed by Microsoft. However, they did not issue a CVE or a fix, but instead provided the following response: “Thank you again for submitting this issue to Microsoft. We determined that this issue does not require immediate security service but did reveal unexpected behavior. A fix for this issue will be considered in a future version of this product or service.”
  • Process Explorer Unprivileged DOS for Anti-Analysis (CVE-2023-42757): The vulnerability was reproduced, confirmed, and fixed by the engineering team of Process Explorer in version 17.04. CVE-2023-42757 was reserved for this vulnerability by MITRE. MITRE confirmed the vulnerability with Microsoft and will publish the CVE once the online publication of the details is available.

Security Officer Comments:
This discovery highlights the prevalence of how known issues that seem harmless could be exploited and pose a serious security risk. The implications are relevant not only to Microsoft Windows, which is the world’s most widely used desktop OS but also to all software vendors, most of whom also allow known issues to persist from version to version of their software.

Suggested Corrections:
Microsoft did address the vulnerabilities but has decided to leave the DOS-to-NT path conversion known issue unfixed. SafeBreach has provided a research repository that includes tools that enable the verification of these vulnerabilities and serve as a basis for further research and development.

Link(s):
https://securityaffairs.com/162129/security/windows-dos-to-nt-flaws-rootkit-like-capabilities.html